Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Citation Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Off. J.L. 281 (Nov. 23, 1995) (full-text) ("1995 Data Protection Directive"). Overview The Directive became effective October 1998. It comprises a general framework of data protection practices for the processing of personal data, which it defines as "any information relating to an identified or identifiable natural person," about European Union citizens. It requires each of the EU Member States to enact laws governing the "processing of personal data." The EU’s 27 member countries have implemented this framework in their own national laws.See European Commission, Status of Implementation of Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data (listing national laws). Data transfers to non-EU Countries Significantly, the Directive obligates EU Member States to prohibit data transfers to non-European countries that do not have "adequate levels of protection" for personal data.A country is considered to have “adequate” data protections if the European Commission certifies that its laws and regulations maintain the same levels of protection as the EU law. Such transfers are regulated by Articles 25 and 26 of the Directive. According to Article 25(1), a transfer of personal data “may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.” The essential concern of the Directive on this point is to ensure that personal data lawfully processed in the EU (and the EEA) remain subject to safeguards when transferred to third countries. The Directive thus determines the situations where personal data may be transferred to third countries. The preferred solution under Article 25 of the Directive is one where there is an adequate level of protection; this can be assessed by the Member States or by the European Commission.The Commission has the power to make determinations of adequacy that are binding on EU (and EEA) Member States. Article 25(6)2. But there also exist situations where the level of protection has not been assessed and determined but where personal data may nevertheless be transferred to the third country: * the controller adduces additional safeguards with respect to the protection of privacy and fundamental rights (e.g. by using appropriate contractual clauses or binding corporate rules)Article 26(2).; * the controller adopts the Commission’s standard contractual clausesArticle 26(4).; * the controller can refer to one of the six derogations listed in Article 26(1). The Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union. EU-US Safe Harbor Agreement The European Commission expressed concern that some of the data protection practices of the United States (e.g., self-regulatory privacy initiatives) would not be deemed "adequate protection" under the Directive. U.S. and EU officials engaged in informal dialogue concerning implementation of the directive. The dialogue focused on the goals of enhancing data protection for European citizens while maintaining the free flow of personal information between Europe and the United States. On November 4, 1998, former U.S. Department of Commerce Undersecretary for International Trade David L. Aaron proposed a “safe harbor” for U.S. companies that choose to adhere to certain privacy principles. After extensive discussions, on March 14, 2000, the European Commission and the United States finalized the U.S.-EU Safe Harbor Framework. Criticism Recent developments On January 25, 2012, the European Commission proposed a data protection reform package, including a Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("General Data Protection Regulation"),General Data Protection Regulation (full-text). which will replace Directive 95/46/EC. References Category:Privacy Category:International law Category:1995 Category:1998